Christian Ciach created THRIFT-4362:
---------------------------------------
Summary: Missing size-check can lead to huge memory allocation
Key: THRIFT-4362
URL: https://issues.apache.org/jira/browse/THRIFT-4362
Project: Thrift
Issue Type: Bug
Components: Java - Library
Affects Versions: 0.10.0, 0.9.3
Reporter: Christian Ciach
In some cases the method
{{monospaced}}org.apache.thrift.protocol.TBinaryProtocol.readStringBody(int
size){{monospaced}} gets called with a "size" parameter that has not been
validated by the existing method {{monospaced}}checkStringReadLength(int
size){{monospaced}}.
This is true if the method is called by
{{monospaced}}readMessageBegin(){{monospaced}} of the same class. The method
{{monospaced}}readString(){{monospaced}} checks the size correctly before
calling {{monospaced}}readStringBody(int size){{monospaced}}.
Since the readStringBody-method is public, there may be other callers who don't
check the size before calling this method.
We encountered this issue in production several times. Because of this we are
currently using our own patched version of libthrift-0.9.3. The patch is
attached, but it is surely not the best solution, because with this patch the
size may be checked twice, depending on the caller.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)